The effects of Heimdall ransomware

Heimdall virus happens to be one of those cyber threats inspired by mythology. The crooks favor Norse mythology after continuously terrorizing the world with the family of ODIN, Locky, and Thor. This time they borrowed the name of Heimdall – the deity of dawn and light – for their ransomware image. The virus received more attention after its author published it in GitHub, open-source project network. There, he demonstrated its features. Though the ransomware is not expected to be released on the massive scale, there are already cases when some users were attacked by this virus. If this malware has befallen you as well, you need to remove Heimdall completely. More information about its elimination steps can be found below the article.

The ransomware has been created using PHP programming language. Though it differs in operation ways, the main principle is the same. Heimdall ransomware hides in a 482-line PHP file. Speaking of encryption techniques, it uses a specific variant of AES-128-CBS algorithm to encode personal data. Once the file-encrypting virus lands on a system, the file generates a graphical image of the ransom note. It presents email@email.com address as a distinctive label. The price of two bitcoins are asked in exchange for their files. The window also contains the tabs where “password for encrypted” and “password for decrypted” can be entered.

Questions about Heimdall ransomware virus

Interestingly, the ransomware places its script in $_SERVER[‘DOCUMENT_ROOT’] and encrypts the files in this folder. The most destructive feature of this ransomware is that all files, regardless of their format might be corrupted, by the ransomware. Later on, you can identify the locked files by .heimdall extension. In this regard, the ransomware might be even more damaging than Locky which targets a wide range of files but not all. However, this ransomware suggests that the author might not be related with the crooks of the previously mentioned Locky. The ransom message itself differs from the ransom messages shown by the latter infection.

Though the developer created the ransomware for educational purposes, such behavior of publicly demonstrating the essential features might turn out negatively. There was the case with some variant of Apocalypse when the crook boasted about his creation on the darknet. However, such boasting was quickly spotted by famous virus researcher Fabian Wosar. After all, the ransomware was quickly taken down. Thus, .heimdall file extension virus also presents the signs of such amateur behavior which is opposed to the refined image of Locky. Specialists conclude that now, when the virus was presented as the project on GitHub, the chances of it becoming a global ransomware are low. However, there is a risk for other hackers to get some valuable knowledge for future cyber infections. Likewise, it is crucial how quickly you can initiate Heimdall removal. Employ Reimage to ensure complete eradication.

When does the virus hijack PCs?

Though the Brazilian developer of the hacker was asked to remove the ransomware from GitHub, the malware is still there. It means that Heimdall malware might not have been set free to roam on the world wide web yet. Nonetheless, when it comes to ransomware and their creators, it is naive to expect any drop of conscience. Even if the author does not deploy massive Heimdall hijack campaign, others might do it for him. However, now as the virus researchers get a hold of such virus, the ransomware might fail to reach its full destructive power. If it is published on the Internet, be careful not to carelessly open spam messages. They often happen to hide malicious .doc, .js, or .dll binaries containing the file-encrypting malware.

Easy Heimdall removal guide

If you somehow managed to get infected with Heimdall virus, we recommend using an anti-spyware application, for example, Reimage. This application deals with ransomware-type viruses effectively and ensures that all elements are completely eradicated. The security tool will remove Heimdall within a moment. Do not forget to update it. If you somehow find difficulties eliminating the threat, take a look at the below guidelines. After implementing the steps, you should be able to proceed with Heimdall removal.

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Heimdall removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Heimdall using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP

Click Start→Shutdown→Restart→OK.

When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.

Select Command Prompt from the list

Windows 10 / Windows 8

Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..

When a new window shows up, click Next and select your restore point that is prior the infiltration of Heimdall. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Heimdall removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Heimdall from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Heimdall, you can use several methods to restore them:

ShadowExplorer method

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Heimdall and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes